Allow static infrastructure and compute nodes to be in different Terraform workspaces #321
Description
Currently, all resources of a single cluster have to be declared in the same workspace with a single module.
This morning, we encounter an issue with a cluster where the auto-apply configuration in Terraform cloud almost replaced all the instances because of a change in Azure provider default value. The change was fortunately prevented by a dependency issue, but nevertheless we were lucky.
For long standing environment, putting the short-live compute instances in a separate workspace would prevent this issue. It would potentially also be more secured if we were to create a token for the compute instance workspace only.
To be able to do this, we need to need the Terraform main module to be able to output:
- Puppet server ip address
- password to join the Puppet server
- bastions' ip address
- tf user private ssh key
- network related resource ids (security group, network, subnetwork, ...)
The output of the management infrastructure workspace could connected to the compute infrastructure workspace using terraform_remote_state, see https://developer.hashicorp.com/terraform/tutorials/cloud/cloud-run-triggers